We changed this to DEFAULT:FEDORA32 a while back because the certs for
the old totpcgi sudo needed it to work. Now thats all gone and we are
100% on ipa and sssd, this should no longer be needed.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Something is broken with smtp_tls_connection_reuse = yes, so disable it
for now. Also, setup a tls_policy map file and tell it to not use tls
for mx2.redhat.com. The normal smtp connection reuse works just fine, so
this will keep mail flowing until we can one day figure out why tls
connection reuse is busted.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We fixed the config in a PR from aheath1992 for most of the machines,
but we need to fix vpn (proxies in particular) and releng boxes now.
Also, while we are here, lets drop the phx2 file since it's not used
anymore.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Without this it wasn't caching tls connections and was going over the
small limit redhat.com mx had. Hopefully this gets mail flowing again.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
So, without this tlsproxy wasn't working and no connection reuse was
happening. With it, it seems to be processing away nicely and reusing
connections.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Recently, redhat.com changed internal MX servers. The new servers are
have rate limits on incoming emails from one ip and admins there don't
want to add a bunch of exceptions, so we need to adjust our end to not
flood connections to them. Currently, connections burst up to 100 (the
smtp postfix default) which goes over their limits and causes the
internal MX to reject emails from us for a while.
So, this change:
* Adds some domains to fast_flush. This allows us to use postqueue -s
domain to flush emails to a particular domain.
* Changes the smtp limit to 40. This is under the redhat.com limit.
* Has ansible actually install the master.cf.gateway on bastion servers.
Currently they were using the stock/default one.
* Enables the tlsproxy service, which is actually needed to get that tls
reuse working.
After these changes, we keep few connections to the redhat.com mx open,
but we reuse them and send more emails over existing connections. No
'too many connection emails' have happened since the changes.
The queue slowly seems to be processing down.
Since this was causing an outage of email, I have already applied these
things to bastion01, but I'd like to make sure we match up to whats in
ansible.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Right now we are hitting redhat.com mx server connection limits.
This might be because we are starting too many new connections at once.
Enabling this should reduce the new connections by reusing existing
ones.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
In addition to the cloud_aws group, we want to exclude ibiblio virthosts
as they use bonding and thats a more complex setup. Someday we should
get it working here.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Everything should now be using linux-system-roles/network, so we drop
our hacky nmcli calls and everything that referred to them, including
exclude variables. Also, lets just let NM handle resolv.conf so it's not
wrong all the time on reboots.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Most of our vpn hosts are on a 192.168.1.0/24 network.
However we have a small number on a 'less secure' 'less trusted' subnet:
192.168.100.0/24. This change adds in logic to:
* on log01, allow rsyslog from 192.168.100.x hosts
* on ipa servers, allow ipa ports for 192.168.100.x hosts
* then reject everything else.
This will make sure 192.168.100.x hosts can only hit ssh and the two
above items, otherwise all vpn hosts will reject their traffic. This
should add a bit of security to having those hosts on the vpn.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This should only affect stg hosts.
We had set all of iad2 the same, prod and stg both.
We need to make sure stg resolves to stg hosts first.
This worked somewhat until now because we replace the resolv.conf on stg
hosts, but without this they are borken right after boot and until we
replace the resolv.conf and restart httpd or other services.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Note that this will not yet work, it needs the RHIT firewall between
vlans opened on these ports first, but after that this is needed to
allow them to use those ports.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
In IAD2 the prod and stg hosts are on different VLANs, so we thought we
didn't need this. However, we are still seeing some odd mixing of prod
and stg fedmsgs, so likely some fedmsg port has become enabled accross
all the VLANS. In any case this should do no harm, it just adds 2
subnets on all prod hosts to block staging, except for a small number of
staging_friendly hosts (in the staging_friendly ansible group).
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Found the reason that the definitions I had put were not
working. There were two different ones and i was looking at the wrong
one. Put the two tasks with the same logic so things should work no
matter which one is run.
We need to always run these even in check mode, because they register
things used in the last one of them. So, this could change this in check
mode if we modify it. Be careful!
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
